Install MongoDB

Configure Package Management System (APT)

The Ubuntu package management tool (i.e. dpkg and apt) ensure package consistency and authenticity by requiring that distributors sign packages with GPG keys. Issue the following command to import the 10gen public GPG Key:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv 7F0CEB10

Create a /etc/apt/sources.list.d/10gen.list file using the following command.

Install Packages

Issue the following command to install the latest stable version of MongoDB:

sudo apt-get install mongodb-10gen

When this command completes, you have successfully installed MongoDB! Continue for configuration and start-up suggestions.

Manage Installed Versions

You can use the mongodb-10gen package to install previous versions of MongoDB. To install a specific release, append the version number to the package name, as in the following example:

apt-get install mongodb-10gen=2.2.3

This will install the 2.2.3 release of MongoDB. You can specify any available version of MongoDB; however apt-getwill upgrade the mongodb-10gen package when a newer version becomes available. Use the following pinning procedure to prevent unintended upgrades.

To pin a package, issue the following command at the system prompt to pin the version of MongoDB at the currently installed version:

Configuration

You can leave most variables as they are for a first start. All of them should be well documented.

Configure at least these variables in /etc/graylog2.conf:

is_master = true

Set only one graylog2-server node as the master. This node will perform periodical and maintenance actions that slave nodes won’t. Every slave node will accept messages just as the master nodes. Nodes will fall back to slave mode if there already is a master in the cluster.

elasticsearch_config_file = /etc/graylog2-elasticsearch.yml

This is the path to the ElasticSearch configuration file for the built-in ElasticSearch node of graylog2-server. Your graylog2-server node will act as a node in your ElasticSearch cluster, but not store any data itself. It will distribute the writes to other nodes in the ElasticSearch cluster.

elasticsearch_max_docs_per_index = 20000000

How many log messages to keep per index. This setting multiplied withelasticsearch_max_number_of_indices results in the maximum number of messages in your Graylog2 setup. It is always better to have several more smaller indices than just a few larger ones.

elasticsearch_max_number_of_indices = 20

How many indices to have in total. If this number is reached, the oldest index will be deleted.

elasticsearch_shards = 4

The number of shards for your indices. A good setting here highly depends on the number of nodes in your ElasticSearch cluster. If you have one node, set it to 1. Read more about this in the knowledge base article about configuring and tuning ElasticSearch.

elasticsearch_replicas = 0

The number of replicas for your indices. A good setting here highly depends on the number of nodes in your ElasticSearch cluster. If you have one node, set it to 0. Read more about this in the knowledge base article about configuring and tuning ElasticSearch.

recent_index_ttl_minutes = 60

Graylog2 keeps a so called recent index that includes only the newest log messages. This allows fast overview pages in the web interface. The messages you see in the “show recent messages” view are from this index. If you have thousands of messages per minute, set it to 1 minute because there are so many new messages coming in. If you have just a few messages per minute, set it to a higher values to still have a good overview without having to click on “show all messages”.

mongodb_*

Enter your MongoDB connection and authentication information here. Make sure that you connect the web interface to the same database. You don’t need to configure mongodb_user and mongodb_password ifmongodb_useauth is set to false.

…and at least these in /etc/graylog2-elasticsearch.yml:

cluster.name: graylog2

The cluster name of your ElasticSearch cluster. All nodes that are discovered will join the cluster if they have the same cluster name. This must be the same cluster name your ElasticSearch nodes have configured.

Multicast/Unicast

The default setting of ElasticSearch is to use Multicast to discover other nodes. This can be useful but a bit hard to configure depending on your network architecture. Also think about your broadcast domains: If a developer starts up an ElasticSearch node and is in the same multicast broadcast domain, he will join your production cluster (if the cluster.name is the same). If you don’t plan to change or add ElasticSearch nodes regulary, I would recommend to disable multicast and enable unicast. Do this by settingdiscovery.zen.ping.multicast.enabled: false to true and add your ElasticSearch node hosts to discovery.zen.ping.unicast.hosts. Multicast should be fine for a first quick start though and have no problems discovering a node on localhost.

Example for unicast discovery of a standard ElasticSearch server on the same host:

You might have to define different ports for your ElasticSearch node and the embedded graylog2-serverElasticSearch node if you are running them on the same host if you get port binding errors. It is recommended to have at least ElasticSearch running on a different host than graylog2-server.

Installing graylog2-web-interface on Debian 6

Prerequisites

You will need to have the following services installed on either the host you are running graylog2-web-interfaceon or on dedicated machines:

One or more instances of graylog2-server

ElasticSearch v0.20.4

MongoDB (as recent stable version as possible, at least v2.0)

You must use ElasticSearch v0.20.4 to avoid compatibility problems.
The Debian MongoDB packages are outdated. Use the official MongoDB apt source. (Available for many distributions and operating systems)

Configuration

Edit all config/*.yml configuration files – They should be pretty self-explanatory and are commented. Of course the configured MongoDB and ElasticSearch instances/databases (mongoid.yml, indexer.yml) have to be the same that graylog2-server uses. The web interface won’t start up if it can’t connect to the specified MongoDB instance. You can specify any ElasticSearch node as target (except the graylog2-server data-only nodes) – The read operations will be distributed over the cluster automatically.